Remove users, groups, or devices from an administrative unit
When users, groups, or devices in an administrative unit no longer need access, you can remove them.
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Privileged Role Administrator
- Microsoft Graph PowerShell module when using PowerShell
- Admin consent when using Graph Explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
You can remove users, groups, or devices from administrative units individually using the Microsoft Entra admin center. You can also remove users in a bulk operation.
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity.
Browse to one of the following:
- Users > All users
- Groups > All groups
- Devices > All devices
Select the user, group, or device you want to remove from an administrative unit.
Select Administrative units.
Add check marks next to the administrative units you want to remove the user, group, or device from.
Select Remove from administrative unit.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to remove users, groups, or devices from.
Select one of the following:
- Users
- Groups
- Devices
Add check marks next to the users, groups, or devices you want to remove.
Select Remove member, Remove, or Remove device.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to remove users from.
Select Users > Bulk operations > Bulk remove members.
In the Bulk remove members pane, download the comma-separated values (CSV) template.
Edit the downloaded CSV template with the list of users you want to remove.
Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.
Save your changes and upload the CSV file.
Select Submit.
Use the Remove-MgDirectoryAdministrativeUnitMemberByRef command to remove users, groups, or devices from an administrative unit.
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$userObj = Get-MgUser -Filter "UserPrincipalName eq 'bill@example.com'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $userObj.Id
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$groupObj = Get-MgGroup -Filter "DisplayName eq 'TestGroup'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $groupObj.Id
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $deviceObj.Id
Use the Remove a member API to remove users, groups, or devices from an administrative unit. For {member-id}
, specify the user, group, or device ID.
DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{member-id}/$ref